A long, long time has passed since my first post on Cross-Site Scripting. Looking back on it now, I realize that I have learned a lot since then. I do not think that post cuts the mustard anymore and I will need to do some writing to make up for that.

In the meantime, the topic of XSS came up on a discussion board a few weeks before I started writing this, and again on Ray's blog today, and I wanted to take some time to explore it in more depth. One common misconception about XSS mitigation in ColdFusion is that the best way to handle it is to use HTMLEditFormat() to output any user generated data. I had this same misconception for a long time and have helped to spread it.

While it is true that HTMLEditFormat() can stop many attacks in many locations in your applications, it is not a catch all for XSS. HTMLEditFormat() only works in the HTML block content context of your applications. Your applications have several other contexts where, if you use dynamic code, you can open up XSS vulnerabilities that HTMLEditFormat() cannot stop.

In this post, we will discuss these contexts, what the are, and why they need to be treated differently.

Last week this article was released about a faculty researcher at University of North Carolina at Chapel Hill.

The article describes how the University recently found out that a machine that stored 180,000 social security numbers (used for research) was compromised back in 2007. The University is now hanging out the researcher to dry and not claiming any fault of their own. There is no report yet on what is happening with the programmer/system admin that she hired to maintain the system.

This is a presentation that I did at cf.Objective(), CFUnited, and NCDevCon. I am very pleased to be able to now present it online for those that could not attend those events.

Here is the topic description:

ith the introduction of Rich Internet Applications (RIAs) over the last several years, it seems that everyone is jumping on the RIA bandwagon. But is any thought being given to what might need to be done to ensure that our Web 2.0 applications are secure? Or are they are not introducing new vulnerabilities into existing applications? In this presentation, we will look at some of the security issues that can arise from introducing Ajax into your applications and about how to mitigate the risks of opening up remote services for Ajax.

As always, thank you to Charlie Arehart for all you do for the community and for continuing the Online ColdFusion Meetup for all this time. It is, without question, one of the most valuable resources for our community.

Wow. Things have been busy and I have been neglecting my blog. I feel bad about that. My blog is so important to me, and things have been keeping me away.

I am a teacher at heart. I love to teach. That is why I blog, that is why I present at conferences, and that is why I am going to grad school. So the fact that I have been unable to blog for a while upsets me greatly. But I want to tell you a little bit about why. This is not about making excuses. This is about what is keeping me busy and what I am learning about. It will also motivate me to blog about these things, and that's the important part.

I have a question re asymmetric encryption and the best way to achieve it....

I need to encrypt a CreditCard number on one server and store the encrypted string in a db and then 5 minutes later another server takes the card number off that DB and then needs to decrypt it. Any suggestions gratefully received :)

After an e-mail exchange we determined that we were NOT just talking about using SSL between ColdFusion and the DB and we determined that using a symmetric algorithm would not be acceptable to the credit card service. So it seems that this user really did need asymmetric encryption in his application.